Viagra Spam

[imron]

Just to let you know it appears there is currently someone spamming the forums with viagra spam, some of which is making it through the moderation queue.

 

My guess is because the spammer is guessing user names from a common list (all the accounts blocked so far have had common names - julie, elizabeth, shane, henry, etc) and trying common passwords against them.  Some of those accounts have been registered for years and therefore already validated as reputable in terms of not making spam posts.

 

Anyway, thanks to all people who have reported this so far, and keep reporting new instances if you see them come up.

 

Thanks.

[roddy]

That's a new one. Keep sending in the post reports folks, and me and Imron will work hard for hours and hours. 

[imron]

I wonder how far down 'roddy' is on the list. I hope you have a strong password ;-)

[abcdefg]

Should we change passwords to keep our accounts from being abused or highjacked?

 

(Dumb question. I will just do it.) 

[imron]

Only if your password is abcdefg or 123456 or something easily guessable such as a dictionary word or a word on lists such as this.

[abcdefg]

It was OK before, but I already changed it to something stronger. No harm in doing that periodically: A change was overdue anyhow, even without this recent flurry of Viagra spam.

[roddy]

Yeah, looks to be a case of common passwords. Although if my username was abcdefg, I'd want my password to be 1234567 just for the symmetry. If you do have a weak password (dictionary word or sequential numbers or letters, your username, blah blah) you might want to change it. I should maybe also shut down very old dormant accounts.

[889]

Am I correct passwords are not encrypted here? If so, that leaves a door open.

 

http://www.chinese-forums.com/index.php?app=core&module=global&section=login&do=process

[roddy]

It's a door I've never seen anyone walk through in over a decade. IF someone targets you with a man in the middle attack, and IF you're using that same password for something important (I'm fairly sure nobody's desperate to take over Chinese-forums.com accounts) then maybe you have a problem, but otherwise I can't see this as an issue for the site, and none of the similar sites I use encrypt login. If there are risks I'm not aware of here, point 'em out, but I don't see this as a priority at the moment. 

 

Passwords are encrypted in the database - hashed and salted, I believe. 

 

If anyone has changed their password recently and is having trouble getting the site to keep them logged in, you may need to clear cookies for the site - if you can't figure out how to do that let us know what browser you're using. 

[889]

"I'm fairly sure nobody's desperate to take over Chinese-forums.com accounts."

 

But I thought the point of this thread was that someone was in fact doing this.

 

In any event, apart from the possibility that some folks might foolishly use the same password here they use on their bank accounts, there's the more reasonable possibility that other less foolish folks might sometimes absentmindedly try to sign in with the wrong password and thus inadvertently disclose their bank account password or such.

 

Point is, in 2015 if not 2005 it's just basic good web practice for a sign-in page to be encrypted.